If step 3 isn't possible, I could live with skipping 2 and 3, and going directly to the web authentication broker, but I would like this to be a one-off process (the site should act as a SSO provider). I am still a bit confused, though, because in this case
the app is using the site as an SSO, which in turn is using Microsoft Account as an SSO :S.

Most tutorials don't go that far (this would probably require some collaboration between the ASP.NET guys and the WinRT guys), and it's a pity, because having a companion site to an app and connecting to both with the same OAuth account is not rare at all.
Help will be appreciated, and I suspect, not only by me.

It's what I want to do. I'll see what adaptations it needs to work with more recent (owin-based) ASP.NET projects and write them down here. Unfortunately, the sample's code is far from production-ready, in the sense that all the authentication and authorisation
logic is in the home\index page.